Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to convert the time and calculate the difference in a query?

pavanae
Builder
‎07-12-2022 10:57 AM

Hello Splunkers, 

I have a query as follows 

 

My query blah blah blah |stats latest(description) as description latest(result) as result latest(object) as object by host source _time

 

which gives the result as follows 

pavanae_1-1657648352473.png

 

As highlighted with yellow color on the above results there are two different time values one under _time and the other under description. 

 

Now I want to filter the results for the hosts that has more than 24 hours in the difference between _time and the time in the description. Something like below 

difference time = (_time - time_in_the_description) > 24 hours 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2022 11:54 AM 
| rex field=description "Last event received from [^:]+: (?<description_time>\d+\-\d+\-\d+\s\d+:\d+)"
| where _time-strptime(description_time,"%Y-%d-%m %H:%M") > 60*60*24

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎07-12-2022 11:51 AM

Thanks for the response. the regex provided didn't worked. Let me provide the full syntax of the Description below 

Last event received from host_1 (ABCD-1234): 2022-12-06 23:59. logtype=ABC
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2022 11:54 AM 
| rex field=description "Last event received from [^:]+: (?<description_time>\d+\-\d+\-\d+\s\d+:\d+)"
| where _time-strptime(description_time,"%Y-%d-%m %H:%M") > 60*60*24
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-12-2022 11:30 AM

It is a little difficult to see what your data looks like from the picture, but assuming I have worked out the pattern correctly, try something like this

| rex field=description "Last event received from \S+ : (?<description_time>\d+\-\d+\-\d+\s\d+:\d+)"
| where _time-strptime(description_time,"%Y-%d-%m %H:%M") > 60*60*24
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...